The General Data Protection Regulation (GDPR) is set to come into force on 25 May 2018. This new regulation will have direct effect in the EEA/ EU and will change the way in which businesses and public sector organisations worldwide, handle the personal information of European Citizens. The new regulation will improve the rights of data subjects and introduce high penalties for non-compliance.
All Clubs in the International Group have issued a circular concerning the GDPR, which can be found here.
Members operating within the EU/EEA area and those outside the EU/EEA offering goods or services to individuals in that area, or who hold personal data within the EU/EEA, should familiarise themselves with the requirements of the new regulation.
The Club recommends that affected Members undertake a review of their current procedures and action the following where necessary:
- Implement policies for Data Protection, Data Retention and Data Sharing;
- Implement procedures to allow data subjects to exercise their rights under the GDPR;
- Consider the appointment of a Data Protection Officer;
- Establish processes to provide data subjects with information about how their data is processed and their rights;
- Consider the legal basis upon which data is processed and stored, deleting any data where there is no legal basis for its use and storage.
- Enhanced security of communications with third parties (including other P&I clubs) where personal data is transferred. This is particularly relevant to the exchange of sensitive personal information including health and medical data;
- Establish additional checks to ensure that personal data is transferred to third countries only when permitted (e.g. when there is a legal basis or a separate agreement exists).
The Club has undertaken a number of activities in preparing for the implementation of the GDPR and we look forward to sharing more information about the measures we have introduced in the near future. Some of the actions the Club has taken, or is in the process of taking, are as follows:
- Responsibility for data protection has been assigned to the Compliance Function;
- A Data Protection Policy has been established;
- A Retention of Records Policy has been established;
- A data subject access procedure has been established;
- Standard privacy notices to data subjects giving details of their rights under the GDPR have been produced and are available;
- The location of all data stored on our systems has been identified and mapped.
- The security and integrity of IT and communication systems have been verified, in relation to both systems containing personal data and systems containing sensitive personal data.
- The compliance of our third party suppliers with the GDPR is being verified.
- Data Protection Training will be delivered to all staff in April 2018.
We will in due course publish a dedicated GDPR webpage providing information about our own compliance with the GDPR, and our expectations of Brokers, Correspondents and our third party suppliers.